Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Fri, 3 Mar 2000 12:33:28 -0800
On Thu, 2 Mar 2000, Craig H. Rowland wrote:
If you are facing a serious compromise situation where an attacker has gained full internal access, and you want to contain and analyze the damage, you may wish to deploy a honey pot. For most cases though I think running a honey pot on your external border is not a good idea.
I've pretty much shared your opinion about honey pots, but one idea I've been toying with recently is deploying "canary" systems internally so that if someone smarter than me does get through the perimeter, if they hit the canary system it'll alert me. I'd probably use just a default redhat 6.0 install (got enough root holes there to make it east), call it something tempting like "cybercash" and then modify sh/bash and csh/tcsh to e-mail a warning anytime they are run (and turn off cron jobs to eliminate the false positives). Comments, thoughts, suggestions?
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
- Mail Server attack Joel Michael (Mar 07)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
- Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)